via Fierce Government IT
The Health and Human Services inspector general is pushing for inclusion of addition security controls in national standards for electronic health records.
In an audit dated May 16, the HHS IG says the Office of Office of the National Coordinator for Health Information Technology, known as ONC, has sidestepped the issue of general IT security controls
Current ONC-required controls for those practices seeking “meaningful use” certification for EHRs in order to take advantage of $27.4 billion in subsidies made available by the HTIECH Act do require what auditors term application controls for EHRs–for example, requiring that medical data in motion be encrypted.
But auditors say ONC should require controls that extend to the wider computing environment. Data at rest on portable media need not be encrypted, the report notes, creating a potential vulnerability any time health information might be downloaded onto a flash drive or CD. Auditors also note the lack of a two-factor identification control or a requirement that machines housing health IT be regularly patched.
In a related report auditors found 151 cybersecurity risks in IT systems at seven hospitals that accept Medicare and Medicaid. Of the uncovered vulnerabilities, auditors ranked 124 of them as high impact; among the holes were inadequate system patching and outdated or missing antivirus software.
In the official ONC response, Farzad Mostashari, who replaced David Blumenthal as ONC head in April, said he concurred with auditors’ recommendation that ONC broaden its focus from just interoperability to also include IT security controls for EHRs. He didn’t outright say that ONC will do so, but that ONC will work on an advisory committee “to actively explore the feasibility of adding general IT security controls,” a statement that has seemed to satisfy auditors.